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(54) Layer-independent security for communication channels 



(57) A method and apparatus for providing layer-in- 
dependent secure network communication is provided. 
According to an embodiment of the invention, a trans- 
mission medium is provided between a first network 
node and a second network node. Both the first network 
node and the second network node support at least one 
common communication protocol. A Java output stream 
is established between a first process executing on the 



first network node and the transmission medium. Also, 
a Java input stream is established between a second 
process executing on the second multilayered node and 
the transmission medium. Data to be transmitted from 
the first process to the second process is encrypted by 
the first process and written to the Java output stream. 
The data is transmitted to the second network node. 
Then the data is read from the Java input stream by the 
second process and decrypted. 
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FIELD OF THE INVENTION 

The invention relates to data security, and more 
specifically, to a method and apparatus lor providing lay- 
er-independent security in network communications. 

BACKGROUND OF THE INVENTION 

Some communication networks, particularly complex 
ones : support multiple communication protocols or ■lay- 
ers." Each layer specifies some functionality or " service" 
of the network and interacts with the layers immediately 
above and below, using services of the layer immediately 
below, while providing services to the layer immediately 
above. The lowest layer in a communication network typ- 
ically governs direct communication between the hard- 
ware at different network nodes, while the highest layer 
handles direct communicalion with application programs 
executing on the network nodes. 

The layered approach to implementing communica- 
tion networks simplifies the creation and modification of 
complex communication architectures by providing for 
incremental changes on a layer-by-layer basis, which 
are transparent to other layers in the architecture. Two 
examples of layered communication protocols are the 
Transmission Control Protocol/Internet Protocol (TCP/ 
IP), which has five layers, and the International Stand- 
ards Organization's (ISO) Open Systems Interconnec- 
tion (OSI) Reference Model (RM), which has seven lay- 
ers. 

The proliferation of communication networks and 
increased frequency of security breaches has under- 
scored the importance of providing secure network com- 
munications. Many communication networks depend 
upon a secure communication connection or * channel" 
to maintain security. In the context of secure communi- 
cation networks, a secure communication channel is a 
connection which provides for the encryption, authenti- 
cation or otherwise secure transmission ol data be- 
tween network nodes. 

Sometimes, setup negotiation is used to establish 
security tor a communication channel. In the context of 
network communications, setup negotiation refers to 
specifying and agreeing to the details about security for 
a communicalion channel, such as the details of a par- 
ticular encryption scheme to be used. Once selup ne- 
gotiation is complete, all communication during the ses- 
sion conforms to the agreed upon security protocol, 
which provides secure communication. 

Setup negotiation is an effective tool for providing 
secure communication during a communication ses- 
sion. However, when the amount of information included 
in each session is small, lor example when a session 
contains only a single message, then the overhead at- 
tributable to setup negotiation can adversely affect com- 
munication performance. Moreov r t some communica- 



tion architectures do not include a session layer, which 
requires that a session lay r be added to support ses- 
sion type security, further degrading performance. 

Another approach for providing a secure communi- 
5 cation channel involves encrypting or encoding data at 
a specific layer on a transmitting network node and then 
decrypting or decoding the data at a corresponding layer 
on a destination network node. Encrypting data at a spe- 
cific layer typically involves applying an encryption algo- 
io rithm based upon the format of data at a particular layer. 
Header data added by higher layers is also encrypted. 
Layer-specific encryption is particularly useful in data- 
gram-based or packet-based networks which are typi- 
cally sessionless and encapsulate data in datagram 
is packets or some other type ol data packet. For example, 
header data may be added to a data packet so that the 
data packet conforms to a particular format. This ap- 
proach also provides for multiple encryptions to be per- 
formed at different layers. 
20 Although layer-specific encryption can provide a se- 
cure communication channel while avoiding the over- 
head penalty associated with setup negotiation, it does 
have several limitations. First, all encryption and decryp- 
tion must occur at the same corresponding layer on both 
zs the transmitting and receiving network nodes, according 
to the specific protocol supported by that layer. For ex- 
ample, Simple Key Management for Internet Protocols 
(SKIP) is designed to be used with internet protocol 
packets at the network layer, which requires internet lay- 
30 er specific function calls. On the other hand, Netscape 
Communications Corporation's Secure Sockets Layer 
(SSL) is designed to be used at the (Unix) socket layer 
and requires socket layer-specific function calls to en- 
crypt and decrypt data. The result is that one application 
35 implementing security according to SKIP cannot interact 
with another application implementing security accord- 
ing to SSL. 

In addition, layer-specific encryption can be difficult 
to employ in object-oriented environments because of 
40 the inherent level ot abstraction required. For example, 
some layers operate on data bytes, which often is a 
much lower level than objects in an object oriented en- 
vironment. 

In view of both the need to provide secure commu- 
4$ nication channels and the limitations in the prior ap- 
proaches, an approach for providing a secure commu- 
nication channel which does not rely upon layer-specific 
encryption and which does not require setup negotiation 
is highly desirable. 

so 

SUMMARY OF THE INVENTION 

According to one aspect of the invention, a method 
provides communication protocol-independent security 
55 (or data transmitted between a first process, xecuting 
on a first network node, and a second process, execut- 
ing on a second network nod . Both the first network 
node and the second network node each support at 
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least one common communication protocol. According 
to the method, a communication channel is establish d 
between the first network node and the second network 
node. Then, a first stream is established between the 
first process and the communication channel. 

In the context of the invention, a " stream" is an ab- 
straction which refers to the transfer or ' flow" of data, 
in any format, from a single source, to a single destina- 
tion. A stream typically flows through a channel or con- 
nection between the sender and receiver, in contrast to 
data packets, which are typically individually addressed 
and which may be routed independently to multiple re- 
cipients. Hence, an application can write data to, or read 
data from, a stream without knowing the actual destina- 
tion or source, respectively, of the data. 

After the first stream is established between the tirst 
process and the communication channel, a second 
stream is established between the second process and 
the communication channel. Data to be transmitted be- 
tween the first and second processes is encrypted. The 
encryption of the data is independent of the communi- 
cation protocol supported by the first network node. The 
encrypted data is then written to the first stream which 
causes the encrypted data to be transmitted from the 
first network node to the second network node. The en- 
crypted data is read from the second stream and then 
decrypted to obtain decrypted data which is identical to 
the data on the first nelwork node before the data was 
encrypted. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is illustrated by way of example, and 
not by way of limitation, in the figures of the accompa- 
nying drawings and in which like reference numerals re- 
fer to similar elements and in which: 

Figure 1 is a block diagram of a multi-layered com- 
munication network according to an embodiment of 
the invention. 

Figure 2 is a block diagram of a multi-layered com- 
munication network according to another embodi- 
ment of the invention; 

Figure 3 illustrates a stream format according to an 
embodiment of the invention; 
Figure 4 is a flow chart illustrating a method for pro- 
viding layer-independent secure communication in 
a multi-layered communication nelwork according 
to an embodiment of the invention, 
Figure 5 is a block diagram of a Java secure chan- 
nel arrangement according to an embodiment of the 
invention; and 

Figure 6 is a block diagram of a computer system 
on which the invention may be implemented. 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

A method and apparatus for providing layer-inde- 
5 pendent secure communications in a multi-layered com- 
munication network is described. In the following de- 
scription, for the purposes of explanation, numerous 
specific details are set forth in order to provide a thor- 
ough understanding of the invention. However, the in- 
to vention may be practiced without these specific details. 
In other instances, well-known structures and devices 
are illustrated in block diagram form in order to avoid 
unnecessarily obscuring the invention. 



is FUNCTIONAL OVERVIEW . 

The invention provides a method and apparatus for 
providing layer-independent secure communications in 
a multi-layered communication network. In general, a 
20 communication channel or connection is first estab- 
lished between a first multi-layered network node and a 
second multi-layered network node. Then, a first stream 
is established between a first process, executing on the 
first multi-layered network node, and the communication 
25 channel. A second stream is then established between 
a second process, executing on the second multi-lay- 
ered network node and the communication channel. 
Then, the first process performs a layer-independent 
encryption of data to be transmitted between the first 
30 and second multi-layered network nodes and then 
writes the encrypted data to the first stream, which caus- 
es the encrypted data to be transmitted to the second 
multi-layered network node. Then, the encrypted data 
is read by the second process from the second stream 
35 and decrypted so that the decrypted data is identical to 
the data on the first multi-layered network node prior to 
being encrypted. 

Figure 1 illustrates a multi-layered communication 
network 1 00 to which the invention is applicable. In gen- 
40 eral, multi-layered communication network 1 00 includes 
multi-layered nodes 1 02, 104, communicatively coupled 
by transmission medium 106. Although multi-layered 
communication network 100 may resemble the Interna- 
tional Standards Organization (ISO) Open Systems In- 
45 terconnection (OSI) Reference Model (RM), the inven- 
tion is applicable to any multi-layered communication 
network. 

A process 108 executes on multi-layered node 102 
while a process 110 executes on multi-layered node 
so 104. Multi-layered node 102 supports a multi-layered 
communication hierarchy 112, where each identified 
layer supports a particular communication protocol. 
Each layer in hierarchy 1 1 2 offers certain services to the 
higher layers while shielding the higher layers from the 
55 details of how those servic s are actually imp! m nted. 
Multi-layered node 104 also supports a multi-layered 
communication hierarchy 114, which includes layer cor- 
responding to the layers in hierarchy 112. All data trans- 
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mitted from process 108 to transmission medium 106 
conforms to all communication protocols supported by 
hierarchy 112. 

For example, to transmit data 116 from process 108 
to transmission medium 106, data 116 must first con- 
form to an application protocol specified by application 
layer 118 on multi-layered node 102. According to one 
embodiment of the invention, this requires that data 116 
be formatted according to application layer 118 protocol 
and that an application protocol header AH be append- 
ed to the front end of data 1 1 6 which specifies the format 
of data 1 1 6. 

This process is repeated lor each layer in hierarchy 
112. According to one embodiment of the invention, the 
formatting of data 116 according to a data link layer 120 
involves the addition of both a header portion DH and a 
trailer portion DT to a data portion 122. It should be not- 
ed that data link layer 1 20 is not aware of which portion 
of data portion 122 corresponds to data 116 and which 
portion represents formatting information of higher lay- 
ers. Data link layer 120 formats the entire data portion 
122 without regard to which portion may be "real" data 
116 and which portion is formatting information added 
by higher layers in hierarchy 112. 

When messages are received by multi-layered 
node 104 from transmission medium 106, a reverse 
process occurs. Since messages must conform to ap- 
plication layer protocol before being processed by proc- 
ess 11 0, any formatting information attributable to layers 
below application layer 128 must be removed. 

As previously discussed, one approach for provid- 
ing secure communication between process 108 and 
process 110 is to have processes 108, 110 perform set- 
up negotiation prior to transmitting data. However, this 
approach can adversely affect data throughput, partic- 
ularly when the setup negotiation is performed on a 
packet-by-packet basis. 

Another previously discussed approach is to en- 
crypt the data at one of the layers in hierarchy 112 on 
multi-layered node 102 before transmitting the data on 
transmission medium 1 06. Then, after the encrypted da- 
ta is received on node 104, the data is decrypted at the 
corresponding layer in hierarchy 114 on multi-layered 
node 104 before the data is received by process 110. 
For example, data may be encrypted at the network lay- 
er 1 24 on multi-layered node 1 02 and then decrypted at 
network layer 1 26 on multi-layered node 1 04 on a pack- 
el-by-packel basis. Although this approach is robust 
from a security standpoint, the data must be decrypted 
at the same layer at which the data was encrypted. 

LAYER-INDEPENDENT SECURITY 

An approach which provides layer-independent se- 
cure network communication in a multi-layered commu- 
nication network according to an embodiment ol the in- 
vention is illustrated by the block diagram of Figure 2. A 
multi-layered communication network 200 includes mul- 



ti-layered nodes 202, 204 which are communicatively 
coupled by a transmission medium 206. A process 208 
executes on multi-layered node 202 while a process 210 
executes on multi-layered node 204. 
s Multi-layered nodes 202, 204 each support one or 

more communication layers (protocols) including socket 
layers 212, 214, respectively. Socket layers 212, 214 
provide an interlace between processes 208, 210, re- 
spectively, and transmission medium 206. Multi -layered 
10 nodes 202, 204 may support addition layers (not illus- 
trated) both above and below socket, layers 212, 214. 
Accordingly, socket layers 212, 214 each include sock- 
ets (not illustrated), which are end points similar to an 
OSI Transport Service Access Point (TSAP), and which 
is provide a connection between layers above and below 
socket layers 21 2,214. In addition, a Java secure chan- 
nel 216 is provided between node 202 and node 204. 
Java security channel 216 provides for the layer-inde- 
pendent encryption of high level data constructs such 
20 as objects. 

Generally, according to an embodiment of the in- 
vention, layer-independent security for communications 
between process 208 and process 210 is provided by 
process 208 encrypting data which is then written to a 
2S Java output stream 218. A Java stream is a stream 
which provides for the transfer of low level data con- 
structs, such as bytes : as well as high level data con- 
structs, such as serialized objects, between a source 
and a destination. The data is then conformed to a sock- 
30 et layer protocol by socket layer 21 2 and written to trans- 
mission medium 206. The data is then processed ac- 
cording to socket layer protocol by socket layer 214 and 
read from a Java input stream 220 by process 210 and 
finally decrypted by process 210. 
35 Encryption of stream data according to embodi- 
ments pi the invention is by definition layer-independent 
and provides a level of abstractness which is compatible 
with many abstract processes and languages which 
support streams, such as object oriented languages. 
40 Besides the layer-independent data encryption per- 
formed by process 208, additional (layer-dependent) 
encryption may be provided at any layer in node 202, 
with decryption being performed at the corresponding 
peer layer in node 204. 
^5 The data format of object output stream 218 and 
object input stream 220 is illustrated in Figure 3. Gen- 
erally, stream lormat 300 is an abstract message lormat 
which is self-contained and layer-independent. Stream 
format 300 includes 1 to N variable length messages 
50 (Ml , M2... Mn). Each message (M1, M2... Mn) includes 
a header portion (H1, H2.;.Hn) and a data portion 
(DATA1, D ATA2. . . D ATAn) . According to one embodi- 
ment of the invention, each header portion (H1, H2... 
Hn) specifies the length of the associated data portion 
55 (D1 , D2...Dn) and also includes encryption key/auth n- 
tication information which eliminates the need for setup 
negotiation. However, certain encryption key/authenti- 
cation information is established once during system 



4 



<EP 0887S81A2 I > 



7 



EP 0 887 981 A2 



8 



setup so that recipients of the messages (M1, M2...Mn) 
can decrypt data contained in the data portion (D1 , D2. . 
Dn) of each message (Ml , M2...Mn). 

The flexibility of stream format 300 of the invention 
provides lor the implementation of various encryption/ 
authentication approaches and is not limited to the par- 
ticular encryption/authentication approach described 
herein. In addition, since stream format 300 is layer in- 
dependent, various data formats may be employed with- 
out departing from the scope of the invention. 

The specific steps for providing layer-independent 
secunty of network communication according to an em- 
bodiment of the invention are now described with refer- 
ence to both the block diagram of Figure 2 and the flow 
chart of Figure 4. Generally, the steps are described in 
the context of an object oriented programming method 
associated with an object, contained in process 208, 
which invokes a method associated with a remotely lo- 
cated object contained in process 210. In the non-object 
oriented context, this is very similar to process 208 is- 
suing a remote procedure call (RPC) to invoke a process 
remotely located on multi-layered node 204. For purpos- 
es of explanation, the data transmitted by the method 
associated with the object contained in process 208 
which invokes the method associated with the remotely 
located object contained in process 210 is hereinafter 
referred to as the ■ object data." 

After starting in step 400, in step 402, multi-layered 
nodes 202, 204 establish an encryption/authentication 
approach during system setup. Unlike traditional setup 
negotiation which must be continuously re -negotiated, 
such as on a per session basis, the agreed upon en- 
cryption/authentication approach established between 
multi-layered nodes 202, 204 only needs to be set up 
once during system setup, or when either multi-layered 
node 202, 204 is connected to another node and the 
security techniques described herein are to be em- 
ployed with that other node. 

In step 404, a Java secure channel 216 is estab- 
lished between node 202 and node 204. According to 
one embodiment of the invention, Java secure channel 
216 is an object class which is defined and invoked by 

process 208. 

In step 406, object output stream 21 8 is established 
between process 208 and socket layer 21 2, and in step 
408, object input stream 220 is established between 
socket layer 21 4 and process 21 0. According to one em- 
bodiment of the invention, object output stream 218 is 
an object class defined by process 208 while object in- 
put stream 220 is an object class defined by process 
210. 

In step 410, the object data to be transmitted from 
process 208 to process 210 is serialized, sometimes re- 
ferred to as " flattening the object," and then encrypt d 
in step 412 based upon the encryption/authentication 
approach established in step 402. 

In slep 41 4, the object data (serialized and encrypt- 
ed) is written to object output stream 218, which is re- 



ceived by socket layer 212 and formatted according to 
socket layer protocol. In step 416, the object data is 
transmitted from socket layer 212 of multilayered node 
202 to socket layer 214 of multi-layered node 204 over 
5 transmission medium 206. 

As previously discussed, multi-layered node 202 is 
illustrated as having a single layer, socket layer 212, 
while multi-layered node 204 is illustrated as having a 
single layer, socket layer 214, for purposes of explana- 
io tion. However, multi-layered nodes 202. 204 may be 
multi-layered and contain other layers above and below 
socket layers 21 2, 21 4. Consequently, although accord- 
ing to an embodiment of the invention, the object data 
is transmitted onto transmission medium 206 in the for- 
is mat illustrated in Figure 3, it is understood that additional 
formatting of the object data may be performed accord- 
ing to various other communication protocols contained 
in multi-layered nodes 202, 204. For example, if multi- 
layered node 202 also supports Internet protocol (IP), 
20 then each message (M1, M2.:.Mn) illuslraled in Figure 
3 would also contain IP header information. 

After the object data is received by socket layer 21 4, 
the object data is read from object input stream 220 by 
process 210 in step 418. In step 420, the object data is 
25 decrypted according to the encryption/authentication 
approach established in step 402. Then, in step 422, the 
object data is de-serialized and the method associated 
with the object remotely located in process 210 is exe- 
cuted. Finally, the process is complete in step 424. 
30 Although embodiments of the invention have been 
described in the context of encrypting and decrypting 
object data by processes 208, 210. which are effectively 
above all of the layers supported by multi-layered nodes 
202, 204, respectively, data may be encrypted and de- 
35 crypted at any layer supported by multi-layered nodes 
202, 204, since the encryption of data is performed be- 
fore the data is written to a stream and is therefore layer- 
independent. 

For example, referring again to Figure 1, according 
40 to another embodiment of the invention, process 108 
encrypts data 116 and then writes data 116 to a stream 
(not illustrated) which is formatted according to the pro- 
tocol hierarchy 112 and transmitted to multi-layered 
node 104 on transmission medium 106. Since data 116 
45 was encrypted at the stream level, data 116 may be de- 
crypted at any layer in hierarchy 114, so long as data 
116 can be extracted from the data stream. Typically, 
the size and position of data 116 within a data chunk is 
known which allows data 1 1 6 to be extracted from a data 
so chunk even though the data chunk contains protocol 
specific information from higher layers. However, if data 
1 1 6 is encrypted at any other layer in hierarchy 112, then 
data 1 1 6 must first be decrypted at a corresponding lay- 
r in hi rarchy 114. 
55 According to another mbodiment of the invention, 
a stream is connected to several other protocol-specific 
streams to support th broadcasting or multi-casting of 
encrypted information. Figure 5 illustrates an arrange- 
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ment 500 which includes a stream 502 according to an 
embodiment of the invention, connected via connectors 
504, to intelligent converters 506, which convert stream 
502 into protocol-specific streams 508 such as file I/O, 
object I/O, and socket I/O streams. Converters 506 have 
the capability to extract the data portion from stream 502 
to support streams 508 at any protocol layer. 

According to arrangement 500, any number of pro- 
tocol-specific streams 508 may be connected to stream 
502. In addition, the headers of messages in stream 502 
may contain destination-specific encryption/authentica- 
tion information. For example, stream 502 may contain 
an encryption/authentication value A, while a recipient 
of one of the protocol-specific streams 508 holds a key 
value X, making the decryption of stream 502 a function 
of A and X (key=t(A,X)). Likewise, similar keys may be 
developed for the other protocol-specilic streams 508. 

HARDWARE OVERVIEW 

Figure 6 is a block diagram which illustrates a com- 
puter system 600 upon which an embodiment of the in- 
vention may be implemented. Computer system 600 in- 
cludes a bus 602 or other communication mechanism 
for communicating information, and a processor 604 
coupled with bus 602 for processing information. Com- 
puter system 600 also includes a main memory 606, 
such as a random access memory (RAM) or other dy- 
namic storage device, coupled to bus 602 for storing in- 
formation and instructions to be executed by processor 
604. Main memory 606 also may be used for storing 
temporary variables or other intermediate information 
during execution of instructions by processor 604. Com- 
puter system 600 also includes a read only memory 
(ROM) 608 or other static storage device coupled to bus 
602 for storing static information and instructions for 
processor 604. A storage device 610, such as a mag- 
netic disk or optical disk, is also provide and coupled to 
bus 602 for storing information and instructions. 

Computer system 600 may also be coupled via bus 
602 to a display 61 2, such as a cathode ray tube (CRT), 
for displaying information to a computer user. An input 
device 614, including alphanumeric and other keys, is 
also provided and coupled to bus 602 lor communicat- 
ing information and command selections to processor 
604. Another type of user input device is cursor control 
616, such as a mouse, a trackball, or cursor direction 
keys for communicating direction information and com- 
mand selections to processor 604 and for controlling 
cursor movement on display 612. This input device typ- 
ically has two degrees of freedom in two axes, a first 
axis (e.g., x) and a second axis (e.g., y), which allows 
the device to specify positions in a plane. 

The invention is related to the use of computer sys- 
tem 600 to provide layer-independent secure network 
communication. According to one embodim nt of the in- 
vention, layer-independent secure network communica- 
tion is provided by computer system 600 in response to 



processor 604 executing sequences ol instructions con- 
tained in main memory 606. Such instructions may be 
read into main memory 606 from another computer- 
readable medium, such as storage device 610. Howev- 

5 er, the computer-readable medium is not limited to de- 
vices such as storage device 610. For example, the 
computer-readable medium may include a floppy disk, 
a flexible disk, hard disk, magnetic tape, or any other 
magnetic medium, a CD-ROM, any other optical medi- 

io urn, a RAM, a PROM, and EPROM, a FLASH-EPROM, 
any other memory chip or cartridge, or any other medi- 
um from which a computer can read. Execution of the 
sequences of instructions contained in main memory 
606 causes processor 604 to perform the process steps 

*5 previously described. In alternative embodiments, hard- 
wired circuitry may be used in place of or in combination 
with software instructions to implement the invention. 
Thus, embodiments of the invention are not limited to 
any specific combination of hardware circuitry and soft- 

20 ware. 

Computer 600 also includes a communication inter- 
face 618 coupled to bus 602. Communication interface 
608 provides a two-way data communication coupling 
to a network link 620 to a local network 622. For exam- 

25 pie, if communication interface 618 is an integrated 
services digital network (ISDN) card or a modem, com- 
munication interface 618 provides a data communica- 
tion connection to the corresponding type of telephone 
line. If communication interface 618 is a local area net- 

30 work (LAN) card, communication interface 618 provides 
a data communication connection to a compatible LAN. 
Wireless links are also possible. In any such implemen- 
tation, communication interface 61 8 sends and receives 
electrical, electromagnetic or optical signals which carry 

35 digital data streams representing various types of infor- 
mation. 

Network link 620 typically provides data communi- 
cation through one or more networks to other data de- 
vices. For example, network link 620 may provide a con- 

40 nection through local network 622 to a host computer 
624 or to data equipment operated by an Internet Serv- 
ice Provider (ISP) 626. ISP 626 in turn provides data 
communication services through the world wide packet 
data communication network now commonly re1 erred to 

45 as the -Internet" 628. Local network 622 and Internet 
628 both use electrical, electromagnetic or optical sig- 
nals which carry digital data streams. The signals 
through the various networks and the signals on network 
link 620 and through communication interlace 618, 

so which carry the digital data to and from computer 600 
are exemplary forms of carrier waves transporting th 
information. 

Computer 600 can send messages and receive da- 
ta, including program code, through the network(s) : net- 
55 work link 620 and communication int dace 618. In the 
Internet example, a serv r 630 might transmit a request- 
ed code for an application program through Internet 628, 
ISP 626, local network 622 and communication inter- 
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lace 618. In accord with the invention, one such down- 
loaded application provides for the synchronization of 
threads using selective object locking as described 
herein. 

The received code may be executed by processor 
604 as it is received, and/or stored in storage device 
610, or other non-volatile storage for later execution. In 
this manner, computer 600 may obtain application code 
in the form of a carrier wave. 

Although the invention has been described in the 
context of connection-based communication architec- 
tures, the invention is also applicable to sessionless da- 
tagram or packet based communication architectures. 

The invention provides several advantages over 
prior approaches for implementing secure network com- 
munications. Most importantly, security is implemented 
using streams which are layer independent. This allows 
an encrypted stream to be decrypted at any layer with- 
out requiring the use of layer specific calls to perform 
the decryption, which provides greater flexibility than pri- 
or approaches. For example, an encrypted stream 
transmitted by a sending node may be decrypted by a 
firewall connection at the network (packet) layer having 
knowledge of the encryption approach negotiated dur- 
ing system setup. Moreover, this approach does not al- 
f ect existing encryption being carried out at various lay- 
ers. The approach of the invention avoids the setup ne- 
gotiation which can significantly degrade communica- 
tion performance in certain situations. 

In the foregoing specification, the invention has 
been described with reference to specific embodiments 
thereof. It will, however, be evident that various modifi- 
cations and changes may be made thereto without de- 
parting from the broader spirit and scope of the inven- 
tion. The specification and drawings are, accordingly, to 
be regarded in an illustrative rather than a restrictive 
sense. 



Claims 



A method for providing communication protocol-in- 
dependent security for data transmitted between a 
first process, executing on a tirst network node, and 
a second process, executing on a second network 
node, wherein the first network node and the sec- 
ond network node each support at least one com- 
mon communication protocol, the method compris- 
ing the steps of : 

a) establishing a communication channel be- 
tween the first network node and the second 
network node; 

b) establishing a first stream between the first 
process and the communication channel; 

c) establishing a second stream between the 
second process and the communication chan- 
nel; 



d) encrypting data to be transmitted between 
the first and second processes, the encrypting 
of the data being independent of the at least 
one communication protocol supported by the 
first network node; 

e) writing the encrypted data to the first stream; 

f) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node; 

g) reading the encrypted data from the second . 
stream; and 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the first network node before the data was en- 
crypted. 

2. The method of Claim 1 , further including the steps of 

a) performing a communication protocol-spe- 
cific encryption of the data on the first network 
node, and 

b) performing a communication protocol-spe- 
cific decryption of the data on the second net- 
work node. 

3. The method of Claim 1 , wherein the communication 
channel is a Java secure channel, 

wherein the first stream is a first Java stream, 
wherein the second stream is a second Java 
stream, 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wherein the step of establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step of es- 
tablishing a first Java stream between the first 
process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 
step of establishing a second Java stream be- 
tween the second process and the Java secure 
channel, 

wherein the step or writing the encrypted data 
to the first stream further comprises the step of 
so writing the encrypted data to the first Java 

stream, and 

wherein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the s c- 
55 ond Java stream. 

4. The method of Claim 1 , wherein the communication 
channel is a Java secure channel, wherein the first 
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stream is a Java stream, 

wherein the second stream is a Java stream, 
wherein the method further comprises the step 
of connecting the Java secure channel to a third 
Java stream, and 

wherein the third Java stream provides for the 
transmission of data according to a specific 
communication protocol 

5. A computer-readable medium having stored there- 
on a plurality of sequences of instructions for pro- 
viding communication protocol-independent secu- 
rity for data transmitted between a first process : ex- 
ecuting on a first network node, and a second proc- 
ess, executing on a second network node, wherein 
the first network node and the second network node 
each support at least one common communication 
protocol, the plurality of sequences of instructions 
including sequences of instructions which, when 
executed by one or more processors, cause the one 
or more processors to perform the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second 
network node; 

b) establishing a first stream between the first 
process and the communication channel; 

c) establishing a second stream between the 
second process and the communication chan- 
nel; 

d) encrypting data to be transmitted between 
the first and second processes, the encrypting 
of the data being independent of the communi- 
cation protocols supported by the first network 
node; 

e) writing the encrypted data to the first stream; 

f) causing the encrypted data to be transmitted 
from the first network node to the second net- 
work node; 

g) reading the encrypted data from the second 
stream; and 

h) decrypting the encrypted data to obtain de- 
crypted data which is identical to the data on 
the first network node before the data was en- 
crypted. 

6. The computer-readable medium of Claim 5, where- 
in the computer-readable medium further includes 
instructions for performing the steps of 

a) performing a communication protocol-spe- 
cific encryption of the data on the first network 
node, and 

b) performing a communication protocol-sp - 
cific decryption of the data on the second net- 
work node. 



7. The computer-readable medium of Claim 5. where- 
in the first stream is a first Java stream, 

wherein the second stream is a second Java 
5 stream, 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
io first and second network nodes, 

wherein the step of establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step of es- 
tablishing a first Java stream between the first 
15 process and the Java secure channel, 

wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 
step of establishing a second Java stream be- 
20 tween the second process and the Java secure 

channel, 

wherein the step of writing the encrypted data 
to the first stream further comprises the step of 
writing the encrypted data to the first Java 
stream, and 

wherein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
ond Java stream. 

The computer-readable medium of Claim 5. where- 
in the communication channel is a Java secure 
channel, 

wherein the first stream is a Java stream, 
wherein the second stream is a Java stream, 
wherein the computer-readable medium further 
includes instructions for connecting the Java 
secure channel to a third Java stream, and 
40 wherein the third Java stream provides for the 

transmission of data according to a specific 
communication protocol. 

9. A communication network providing communica- 
45 Hon protocol-independent secure communication 
between a first network node and a second network 
node, wherein the first network node and the sec- 
ond network node each support at least one com- 
mon communication protocol, wherein the first net- 
so work node is communicatively coupled to the sec- 
ond network node by a communication channel, the 
communication network comprising: 

a) a lirst process executing on the first network 
5£ node, wherein the first proc ss provides for th 

communication protocol-independent encryp- 
tion of data; 

b) a lirst stream which provides for the transfer 
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of encrypted data between the first process and 
the communication channel; 

c) a second process executing on the second 
network node; and 

d) a second stream which provides for the 5 
transfer of encrypted data between the commu- 
nication channel and the second process, 
wherein the second process also provides for 
the decryption of data which has been encrypt- 
ed by the first process. 10 

10. The communication network of Claim 9, wherein the 
second process further includes the capability to 
decrypt data based upon any communication pro- 
tocol supported by the second network node. * 5 

11. The communication network of Claim 9, wherein the 
communication channel is a Java secure channel, 
the first stream is a Java stream and the second 
stream is a Java stream. 2° 

12. The communication network of Claim 11, further 
comprising a third Java stream connected to the 
Java secure channel, the third Java stream provid- 
ing for the transmission of data according to a spe- 2s 
cific communication protocol. 

1.3. A computer data signal embodied in a carrier wave 
and representing sequences of instruction which, 
when executed by one or more processors, provide 30 
communication protocol-independent security for 
data transmitted between a first process, executing 
on a first network node, and a second process, ex- 
ecuting on a second network node, wherein the first 
network node and the second network node each 35 
support at least one common communication pro- 
tocol by performing the steps of: 

a) establishing a communication channel be- 
tween the first network node and the second 40 
network node; 

b) establishing a first stream between the first 
process and the communication channel; 

c) establishing a second stream between the 
second process and the communication chan- 45 
nel; 

d) encrypting data to be transmitted between 
the first and second processes, the encrypting 
of the data being independent of the communi- 
cation protocols supported by the first network 50 
node; 

e) writing the encrypted data to the first stream; 

f) causing the encrypted data to be transmitted 
from the first network nod to the second net- 
work node; 5 ^ 

g) reading the encrypted data from the second 
stream; and 

h) decrypting the encrypted data to obtain de- 



crypted data which is identical to the data on 
the first network node before the data was en- 
crypted. 

14. The computer data signal of Claim 1 3, wherein the 
computer sequence of instructions further includes 
instructions for performing the steps of 

a) performing a communication protocol-spe- 
cific encryption of the data on the first network 
node, and 

b) performing a communication protocol-spe- 
cific decryption of the data on the second net- 
work node. 

15. The computer data signal of Claim 13, wherein the 
first stream is a first Java stream, 

wherein the second stream is a second Java 
stream, 

wherein the step of establishing a communica- 
tion channel between the first and second net- 
work nodes further comprises the step of es- 
tablishing a Java secure channel between the 
first and second network nodes, 
wherein the step of establishing a first stream 
between the first process and the communica- 
tion channel further comprises the step of es- 
tablishing a first Java stream between the first 
process and the Java secure channel, 
wherein the step of establishing a second 
stream between the second process and the 
communication channel further comprises the 
step of establishing a second Java stream be- 
tween the second process and the Java secure 
channel, 

wherein the step of writing the encrypted data 
to the first stream further comprises the step of 
writing the encrypted data to the first Java 
stream, and 

wherein the step of reading the encrypted data 
from the second stream further comprises the 
step of reading the encrypted data from the sec- 
ond Java stream. 

16. The computer data signal of Claim 13, wherein the 
communication channel is a Java secure channel, 

wherein the first stream is a Java stream, 
wherein the second stream is a Java stream, 
wherein the computer sequence of instructions 
further includes instructions for connecting the 
Java secure channel to a third Java stream, and 
wherein the third Java str am provides for the 
transmission of data according to a specific 
communication protocol. 

17. A method for providing communication protocol -in - 
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dependent security for data transmitted by a proc- 
ess executing on a network node, the method com- 
prising the steps of: 

a) establishing a stream between the process 5 
and a communication channel; 

b) encrypting data to be transmitted by the proc- 
ess, the encrypting of the data being independ- 
ent of a communication protocol supported by 

the network node; io 

c) writing the encrypted data to the stream; and 

d) causing the encrypted data to be transmitted 
from the network node to the communication 
channel. 

75 

18. The method of Claim 17, wherein the communica- 
tion channel is a Java secure channel, 

wherein the stream is a first Java stream, 
wherein Ihe step of establishing a stream be- 20 
tween the process and the communication 
channel further comprises the step of establish- 
ing a Java stream between the process and the 
Java secure channel, and 

wherein the step of writing the encrypted data 2s 
to the stream further comprises the step of writ- 
ing the encrypted data to the Java stream. 

19. The method of Claim 17, wherein the communica- 
tion channel is a Java secure channel, wherein the 30 
stream is a Java stream, 

wherein the method further comprises the step 
of connecting the Java secure channel to a.sec- 
ond Java stream, and 3S 
wherein the second Java stream provides for 
the transmission of data according to a specific 
communication protocol. 
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(54) Layer-independent security for communication channels 



(57) A method and apparatus for providing layer-in- 
dependent secure network communication is provided. 
According to an embodiment ot the invention, a trans- 
mission medium (206) is provided between a first net- 
work node (200) and a second network node (204). Both 
the first network node and the second network node 
support at least one common communication protocol. 
A Java output stream (21 B) is established between a 
first process (208) executing on the first network node 



and the transmission medium. Also, a Java input stream 
(220) is established between a second process (210) 
executing on the second multilayered node and the 
transmission medium. Data to be transmitted from the 
first process to the second process is encrypted by the 
first process and written to the Java output stream. The 
data is transmitted to the second network node. Then 
the data is read from the Java input stream by the sec- 
ond process and decrypted. 
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